Newbie questions about CSS (11503)

Answered Question
Mar 19th, 2007

I am going to be installing a couple ASA failover pairs plus a redundant CSS load-balancing solution soon, and I have some basic newbie questions about setting up the CSS11503's. The basic scenario is this:

Internet -> FW Pair 1(A/S Failover) -> DMZ1 -> CSS (Failover) -> Web Servers -> FW Pair 2(A/S Failover) -> DMZ2 -> SQL Servers

The customer seems to think that DMZ1, CSS, Web Servers and FW pair 2 outside interface should all be in the same subnet. It appears from reading several posts, that this may be possible - but is it the best way to do it? I have the ability to influence the design, so I want to know the best way.

I also am not sure what is optimum for how NAT is accomplished. Should FW pair 1 do it, or is it better to let the CSS pair do it. Also, what is the best design for the CSS failover.

If you had a clean slate, how would you do it?

Thanks

Dave

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 9 years 8 months ago

The CSS can work in brigde mode or routed mode.

What your customer wants to do is ok. It's good to save on ip addresses if you need to.

But that's the only advantage. The CSS works the same weither you do bridge mode or routed mode.

For CSS failover, I definitely recommend Vip/Interface redundancy vs Box-to-Box.

You get faster failover time and you get the possibility to enable ASR for stateful failover.

Regarding nat, I prefer to let the firewall do it.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Tue, 03/20/2007 - 05:29

The CSS can work in brigde mode or routed mode.

What your customer wants to do is ok. It's good to save on ip addresses if you need to.

But that's the only advantage. The CSS works the same weither you do bridge mode or routed mode.

For CSS failover, I definitely recommend Vip/Interface redundancy vs Box-to-Box.

You get faster failover time and you get the possibility to enable ASR for stateful failover.

Regarding nat, I prefer to let the firewall do it.

Gilles.

Actions

This Discussion